"When it comes to security budget, security organizations are very much like my children: They want to buy whatever they've seen last and is shiny and new and promises unbelievable results," says Alan Shimel, managing partner of The CISO Group. "A serious dose of pragmatism and maybe just a little maturity would go a long way."
Shimel says he has written about it and stomped his feet until blue in the face, mostly to no avail. It's a trend that Eric Cowperthwaite, former CISO of Providence Health and Services and now CORE Security's vice president of advanced security and strategy, has seen unfold time and again.
[Your organization's been breached. Now what? See Establishing The New Normal After A Breach.]
"All too often the spending is on things that will provide for compliance with laws and regulations or that are glitzy and sexy and in the trade news a lot," he says, explaining that an organization may make big investments in next-generation firewalls or a huge single-sign-on system while failing to attend to simple tasks, such as patch management or configuration management, on their systems. "We see organizations being exploited by social engineering and the compromise of systems that were not patched, even though the vulnerability was known for weeks, even months."
On the network side, network change management and firewall rules management fall squarely within this "blue-collar, meat-and-potatoes" kind of security management market, Shimel says. "It's just not as sexy to the guy who is looking for the security flux capacitor," he adds.
Management tools that offer more network controls and enable policy orchestration are foundational, but may be a budgetary afterthought. And the more they're back-burnered, potentially the harder it will be politically to add them in after the fact. As Shimel explains, if an organization spends several million during the course of two to three years to pick up next-generation firewalls and update traditional firewalls, coming in after that is done and asking for another half-million dollars for firewall management to keep the rules properly configured on those systems may anger the CFO or CIO. But as IT organizations look into more iterative devops processes that require changing the network more frequently than ever, and as they start to dive into such projects as software-defined networking to increase the dynamic nature of the network, they may well be forced to bake in security and change management into the budget cycle much earlier in the process, says Jody Brazil, president and CTO of firewall management firm FireMon.
"All of these great things get spun up at the click of a button within minutes of saying go, and then either the access doesn't exist, the access control systems aren't in place, or the reverse," Brazil says. "Access is automatically allowed, but now you don't have scanning set up to run against this new system, or the IPS isn't configured in tune for the fact this is a new application."
Brazil believes that as organizations are dragged into this more "operational world" of networking, security management is getting thrust front and center. He believes the tide is shifting, however, as he sees clients begin to worry more about those security management needs first before sparing change for those shiny new toys. For example, he mentions a customer in the federal space that is engaging his company before putting in a new slate of network security tools and next-generation firewalls, so the agency can lay the groundwork for day-to-day controls first.
"Security management is becoming part of that budget conversation," he says. "Whereas we often used to get brought in after the fact, they're starting with management and saying, 'Let's get this figured out first. Then we'll worry about expanding the rest of the infrastructure.'"
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.